New Malware Pairs With Legitimate Software To Remain Undetected

Share this:

In a newly created proof-of-concept hack, German researchers have been able to show that the mechanisms used for Internet software distribution can be turned into virus vectors without the original code being modified.

Felix Grobert, Ahmad-Reza Sadeghi and Marcel Winandy, researchers from Ruhr University Bochum, developed an on-the-fly mechanism that makes it possible to inject code into a download and remain undetected, The Register reported.

The hack requires two components — the Cyanid which catches, modifies and filters the HTTP downloads and a binder known as Calcium used to infect binaries — and depends on the ability to redirect traffic to be successfully executed.

“Our algorithm deploys virus infection routines and network redirection attacks, without requiring to modify the application itself,” the group wrote in a research paper. “This allows to even infect executables with an embedded signature when the signature is not automatically verified before execution.”

Linking To Legitimate Software To Stay Hidden
The attack works by using the Calcium binder to link the original application and the malicious code. Once an infected application is launched, the binder starts working and creates its own file for additional embedded executables where it reconstructs and launches them undetected by the user. Because the original application is left intact, the malware can be attached to an executable with an embedded signature and still succeed in certain scenarios.

The researchers suggest that organizations attempting to mitigate the results of such an attack should tighten the delivery mechanisms they use to protect against traffic hijackers, according to the Register.

Current antivirus software could also be modified to identify the presence of binders and trusted virtualization architectures would be useful as well, since the secure, verifiable boot process they use would help to keep critical applications isolated.

As malware and cyberattacks grow increasingly harmful, companies are making larger investments into services that will help improve enterprise security. A recent ABI Research study estimates that the market for data loss prevention solutions will grow to $1.7 billion by the end of this year, Business Wire reports.

Part of the increase in cybersecurity services is due to the amount of people affected by cyberattacks last year, when more than 800 million records were compromised as a result of data breaches.

For organizations looking to increase enterprise security and improve data loss prevention, strong authentication is a reliable way to protect privileged information. This security technique requires users to enter multiple forms of identification before accessing sensitive data, ensuring malicious actors cannot obtain information they are not authorized to have.

IdentityOn Blog

Entrust has been at the forefront of the identity-based security market for nearly two decades. Our identity-based security solutions secure governments, enterprises, and financial institutions in more than 5,000 organizations spanning 85 countries.